From 12f231eb13a4f3f8d4b2d6edec8067ef5d0a7f0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Tue, 13 Apr 2021 16:57:56 -0600 Subject: [PATCH 01/18] chore:updated sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index 4254787ddf5..e9b7c3b44c5 100644 --- a/go.sum +++ b/go.sum @@ -55,6 +55,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM= github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.31.9/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= +github.com/aws/aws-sdk-go v1.38.2 h1:qUXZReQck3SdPwMN3HnNk1Mgq2jJJ2T7V+790HthW4g= +github.com/aws/aws-sdk-go v1.38.2/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.38.12 h1:khtODkUna3iF53Cg3dCF4e6oWgrAEbZDU4x1aq+G0WY= github.com/aws/aws-sdk-go v1.38.12/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs= From f5d966199a5371d3e6d1b20430106033a5bf5aaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Tue, 13 Apr 2021 16:58:21 -0600 Subject: [PATCH 02/18] feat: added resource aws macie2 account --- aws/provider.go | 1 + aws/resource_aws_macie2_account.go | 183 +++++++++++++++++ aws/resource_aws_macie2_account_test.go | 248 ++++++++++++++++++++++++ 3 files changed, 432 insertions(+) create mode 100644 aws/resource_aws_macie2_account.go create mode 100644 aws/resource_aws_macie2_account_test.go diff --git a/aws/provider.go b/aws/provider.go index fdbcdad46f7..ea0e9b7f8d6 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -1115,6 +1115,7 @@ func Provider() *schema.Provider { "aws_xray_group": resourceAwsXrayGroup(), "aws_xray_sampling_rule": resourceAwsXraySamplingRule(), "aws_workspaces_ip_group": resourceAwsWorkspacesIpGroup(), + "aws_macie2_account": resourceAwsMacie2Account(), // ALBs are actually LBs because they can be type `network` or `application` // To avoid regressions, we will add a new resource for each and they both point diff --git a/aws/resource_aws_macie2_account.go b/aws/resource_aws_macie2_account.go new file mode 100644 index 00000000000..4310b05d518 --- /dev/null +++ b/aws/resource_aws_macie2_account.go @@ -0,0 +1,183 @@ +package aws + +import ( + "context" + "fmt" + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/macie2" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" + "log" + "time" +) + +const ( + errorMacie2AccountCreate = "error enabling Macie2 Account: %s" + errorMacie2AccountRead = "error updating Macie2 Account (%s): %w" + errorMacie2AccountUpdating = "error updating Macie2 Account (%s): %w" + errorMacie2AccountDelete = "error disabling Macie2 Account (%s): %w" + errorMacie2AccountSetting = "error setting `%s` for Macie2 Account (%s): %s" +) + +func resourceAwsMacie2Account() *schema.Resource { + return &schema.Resource{ + CreateContext: resourceMacie2AccountCreate, + ReadContext: resourceMacie2AccountRead, + UpdateContext: resourceMacie2AccountUpdate, + DeleteContext: resourceMacie2AccountDelete, + Importer: &schema.ResourceImporter{ + StateContext: schema.ImportStatePassthroughContext, + }, + + Schema: map[string]*schema.Schema{ + "client_token": { + Type: schema.TypeString, + Optional: true, + }, + "finding_publishing_frequency": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ValidateFunc: validation.StringInSlice([]string{"FIFTEEN_MINUTES", "ONE_HOUR", "SIX_HOURS"}, false), + }, + "status": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ValidateFunc: validation.StringInSlice([]string{"PAUSED", "ENABLED"}, false), + }, + "service_role": { + Type: schema.TypeString, + Computed: true, + }, + "created_at": { + Type: schema.TypeString, + Computed: true, + }, + "updated_at": { + Type: schema.TypeString, + Computed: true, + }, + }, + } +} + +func resourceMacie2AccountCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + conn := meta.(*AWSClient).macie2conn + + input := &macie2.EnableMacieInput{} + + if v, ok := d.GetOk("client_token"); ok { + input.ClientToken = aws.String(v.(string)) + } + if v, ok := d.GetOk("finding_publishing_frequency"); ok { + input.FindingPublishingFrequency = aws.String(v.(string)) + } + if v, ok := d.GetOk("status"); ok { + input.Status = aws.String(v.(string)) + } + + log.Printf("[DEBUG] Enabling Macie2 Account: %v", input) + + var err error + err = resource.RetryContext(ctx, 4*time.Minute, func() *resource.RetryError { + _, err = conn.EnableMacieWithContext(ctx, input) + if err != nil { + if isAWSErr(err, macie2.ErrorCodeClientError, "") { + log.Printf(errorMacie2AccountCreate, err) + return resource.RetryableError(err) + } + + return resource.NonRetryableError(err) + } + + return nil + }) + + if isResourceTimeoutError(err) { + _, _ = conn.EnableMacieWithContext(ctx, input) + } + + if err != nil { + return diag.FromErr(fmt.Errorf(errorMacie2AccountCreate, err)) + } + + d.SetId(resource.UniqueId()) + + return resourceMacie2AccountRead(ctx, d, meta) +} + +func resourceMacie2AccountRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + conn := meta.(*AWSClient).macie2conn + + input := &macie2.GetMacieSessionInput{} + + log.Printf("[DEBUG] Reading Macie2 Account: %s", input) + resp, err := conn.GetMacieSessionWithContext(ctx, input) + if err != nil { + if isAWSErr(err, macie2.ErrCodeResourceNotFoundException, "") { + log.Printf("[WARN] Macie2 Account does not exist, removing from state: %s", d.Id()) + d.SetId("") + return nil + } + return diag.FromErr(fmt.Errorf(errorMacie2AccountRead, d.Id(), err)) + } + + if err = d.Set("status", resp.Status); err != nil { + return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "status", d.Id(), err)) + } + if err = d.Set("finding_publishing_frequency", resp.FindingPublishingFrequency); err != nil { + return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "finding_publishing_frequency", d.Id(), err)) + } + if err = d.Set("service_role", resp.ServiceRole); err != nil { + return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "service_role", d.Id(), err)) + } + if err = d.Set("created_at", resp.CreatedAt.String()); err != nil { + return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "created_at", d.Id(), err)) + } + if err = d.Set("updated_at", resp.UpdatedAt.String()); err != nil { + return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "updated_at", d.Id(), err)) + } + + return nil +} + +func resourceMacie2AccountUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + conn := meta.(*AWSClient).macie2conn + + input := &macie2.UpdateMacieSessionInput{} + + if d.HasChange("finding_publishing_frequency") { + input.FindingPublishingFrequency = aws.String(d.Get("finding_publishing_frequency").(string)) + } + + if d.HasChange("status") { + input.Status = aws.String(d.Get("status").(string)) + } + + log.Printf("[DEBUG] Updating Macie2 Account: %s", input) + _, err := conn.UpdateMacieSessionWithContext(ctx, input) + if err != nil { + return diag.FromErr(fmt.Errorf(errorMacie2AccountUpdating, d.Id(), err)) + } + + return resourceMacie2AccountRead(ctx, d, meta) +} + +func resourceMacie2AccountDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + conn := meta.(*AWSClient).macie2conn + + input := &macie2.DisableMacieInput{} + + log.Printf("[DEBUG] Disabling Macie2 Account: %s", input) + _, err := conn.DisableMacieWithContext(ctx, input) + if err != nil { + if isAWSErr(err, macie2.ErrorCodeInternalError, "") { + return nil + } + return diag.FromErr(fmt.Errorf(errorMacie2AccountDelete, d.Id(), err)) + } + return nil +} diff --git a/aws/resource_aws_macie2_account_test.go b/aws/resource_aws_macie2_account_test.go new file mode 100644 index 00000000000..491c4274aa1 --- /dev/null +++ b/aws/resource_aws_macie2_account_test.go @@ -0,0 +1,248 @@ +package aws + +import ( + "fmt" + "github.com/aws/aws-sdk-go/service/macie2" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "testing" +) + +func TestAccAwsMacie2Account_basic(t *testing.T) { + var macie2Output macie2.GetMacieSessionOutput + resourceName := "aws_macie2_account.test" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: testAccProviderFactories, + CheckDestroy: testAccCheckAwsMacie2AccountDestroy, + Steps: []resource.TestStep{ + { + Config: testaccawsmacieaccountconfigBasic(), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), + resource.TestCheckResourceAttrSet(resourceName, "finding_publishing_frequency"), + resource.TestCheckResourceAttrSet(resourceName, "status"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttrSet(resourceName, "service_role"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAwsMacie2Account_WithFinding(t *testing.T) { + var macie2Output macie2.GetMacieSessionOutput + resourceName := "aws_macie2_account.test" + findingFreq := "FIFTEEN_MINUTES" + findingFreqUpdated := "ONE_HOUR" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: testAccProviderFactories, + CheckDestroy: testAccCheckAwsMacie2AccountDestroy, + Steps: []resource.TestStep{ + { + Config: testaccawsmacieaccountconfigWithfinding(findingFreq), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", findingFreq), + resource.TestCheckResourceAttrSet(resourceName, "service_role"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + ), + }, + { + Config: testaccawsmacieaccountconfigWithfinding(findingFreqUpdated), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", findingFreqUpdated), + resource.TestCheckResourceAttrSet(resourceName, "service_role"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAwsMacie2Account_WithStatus(t *testing.T) { + var macie2Output macie2.GetMacieSessionOutput + resourceName := "aws_macie2_account.test" + status := "ENABLED" + statusUpdated := "PAUSED" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: testAccProviderFactories, + CheckDestroy: testAccCheckAwsMacie2AccountDestroy, + Steps: []resource.TestStep{ + { + Config: testaccawsmacieaccountconfigWithstatus(status), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), + resource.TestCheckResourceAttr(resourceName, "status", status), + resource.TestCheckResourceAttrSet(resourceName, "service_role"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + ), + }, + { + Config: testaccawsmacieaccountconfigWithstatus(statusUpdated), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), + resource.TestCheckResourceAttr(resourceName, "status", statusUpdated), + resource.TestCheckResourceAttrSet(resourceName, "service_role"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAwsMacie2Account_WithFindingAndStatus(t *testing.T) { + var macie2Output macie2.GetMacieSessionOutput + resourceName := "aws_macie2_account.test" + findingFreq := "FIFTEEN_MINUTES" + status := "ENABLED" + findingFreqUpdated := "ONE_HOUR" + statusUpdated := "PAUSED" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: testAccProviderFactories, + CheckDestroy: testAccCheckAwsMacie2AccountDestroy, + Steps: []resource.TestStep{ + { + Config: testaccawsmacieaccountconfigWithfindingandstatus(findingFreq, status), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", findingFreq), + resource.TestCheckResourceAttr(resourceName, "status", status), + resource.TestCheckResourceAttrSet(resourceName, "service_role"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + ), + }, + { + Config: testaccawsmacieaccountconfigWithfindingandstatus(findingFreqUpdated, statusUpdated), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", findingFreqUpdated), + resource.TestCheckResourceAttr(resourceName, "status", statusUpdated), + resource.TestCheckResourceAttrSet(resourceName, "service_role"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccCheckAwsMacie2AccountDestroy(s *terraform.State) error { + conn := testAccProvider.Meta().(*AWSClient).macie2conn + + for _, rs := range s.RootModule().Resources { + if rs.Type != "aws_macie2_account" { + continue + } + + input := &macie2.GetMacieSessionInput{} + resp, err := conn.GetMacieSession(input) + + if isAWSErr(err, macie2.ErrCodeAccessDeniedException, "") { + continue + } + + if err != nil { + return err + } + + if resp != nil { + return fmt.Errorf("macie2 account %q still enabled", rs.Primary.ID) + } + } + + return nil + +} + +func testAccCheckAwsMacie2AccountExists(resourceName string, macie2Session *macie2.GetMacieSessionOutput) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("not found: %s", resourceName) + } + + conn := testAccProvider.Meta().(*AWSClient).macie2conn + input := &macie2.GetMacieSessionInput{} + + resp, err := conn.GetMacieSession(input) + + if err != nil { + return err + } + + if resp == nil { + return fmt.Errorf("macie2 account %q does not exist", rs.Primary.ID) + } + + *macie2Session = *resp + + return nil + } +} + +func testaccawsmacieaccountconfigBasic() string { + return fmt.Sprintf(` +resource "aws_macie2_account" "test" {} +`) +} + +func testaccawsmacieaccountconfigWithfinding(finding string) string { + return fmt.Sprintf(` +resource "aws_macie2_account" "test" { + finding_publishing_frequency = "%s" +} +`, finding) +} + +func testaccawsmacieaccountconfigWithstatus(status string) string { + return fmt.Sprintf(` +resource "aws_macie2_account" "test" { + status = "%s" +} +`, status) +} + +func testaccawsmacieaccountconfigWithfindingandstatus(finding, status string) string { + return fmt.Sprintf(` +resource "aws_macie2_account" "test" { + finding_publishing_frequency = "%s" + status = "%s" +} +`, finding, status) +} From 5628f6603302279d1f1e4d08a4cdeaae495f7dfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Tue, 13 Apr 2021 16:58:43 -0600 Subject: [PATCH 03/18] docs: added doc for resource macie2 account --- website/docs/r/macie2_account.html.markdown | 45 +++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 website/docs/r/macie2_account.html.markdown diff --git a/website/docs/r/macie2_account.html.markdown b/website/docs/r/macie2_account.html.markdown new file mode 100644 index 00000000000..bdb80e03a4b --- /dev/null +++ b/website/docs/r/macie2_account.html.markdown @@ -0,0 +1,45 @@ +--- +subcategory: "Macie2" +layout: "aws" +page_title: "AWS: aws_macie2_account" +description: |- + Provides a resource to manage an AWS Macie2 Account. +--- + +# Resource: aws_macie2_account + +Provides a resource to manage an [AWS Macie Account](https://docs.aws.amazon.com/macie/latest/APIReference/macie.html). + +## Example Usage + +```terraform +resource "aws_macie2_account" "test" { + finding_publishing_frequency = "FIFTEEN_MINUTES" + status = "ENABLED" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `client_token` - (Optional) A unique, case-sensitive token that you provide to ensure the idempotency of the request. +* `finding_publishing_frequency` - (Optional) Specifies how often to publish updates to policy findings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events). Valid values are `FIFTEEN_MINUTES`, `ONE_HOUR` or `SIX_HOURS`. +* `status` - (Optional) Specifies the new status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to `ENABLED`. Valid values are `ENABLED` or `PAUSED`. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The unique identifier (ID) of the macie account. +* `service_role` - The Amazon Resource Name (ARN) of the service-linked role that allows Macie to monitor and analyze data in AWS resources for the account. +* `created_at` - The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie account was created. +* `updated_at` - The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the Macie account. + +## Import + +`aws_macie2_account` can be imported using the id, e.g. + +``` +$ terraform import aws_macie2_account.example abcd1 +``` From 53468159f02317d2d1775840b0452e4f87848ee2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Sat, 17 Apr 2021 13:29:36 -0600 Subject: [PATCH 04/18] fixes a typo --- aws/resource_aws_macie2_account.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/resource_aws_macie2_account.go b/aws/resource_aws_macie2_account.go index 4310b05d518..c6bbe71ce2d 100644 --- a/aws/resource_aws_macie2_account.go +++ b/aws/resource_aws_macie2_account.go @@ -15,7 +15,7 @@ import ( const ( errorMacie2AccountCreate = "error enabling Macie2 Account: %s" - errorMacie2AccountRead = "error updating Macie2 Account (%s): %w" + errorMacie2AccountRead = "error reading Macie2 Account (%s): %w" errorMacie2AccountUpdating = "error updating Macie2 Account (%s): %w" errorMacie2AccountDelete = "error disabling Macie2 Account (%s): %w" errorMacie2AccountSetting = "error setting `%s` for Macie2 Account (%s): %s" From e3e5c08deb67b20a167f379964ac4d6206cf9da8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Mon, 26 Apr 2021 16:49:49 -0600 Subject: [PATCH 05/18] fixes conflict --- go.mod | 2 +- go.sum | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index dca830ae674..66a0b1d2e56 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/terraform-providers/terraform-provider-aws go 1.16 require ( - github.com/aws/aws-sdk-go v1.38.12 + github.com/aws/aws-sdk-go v1.38.19 github.com/beevik/etree v1.1.0 github.com/fatih/color v1.9.0 // indirect github.com/hashicorp/aws-sdk-go-base v0.7.0 diff --git a/go.sum b/go.sum index e9b7c3b44c5..d42997f2d7d 100644 --- a/go.sum +++ b/go.sum @@ -55,10 +55,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM= github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.31.9/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= -github.com/aws/aws-sdk-go v1.38.2 h1:qUXZReQck3SdPwMN3HnNk1Mgq2jJJ2T7V+790HthW4g= -github.com/aws/aws-sdk-go v1.38.2/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.38.12 h1:khtODkUna3iF53Cg3dCF4e6oWgrAEbZDU4x1aq+G0WY= -github.com/aws/aws-sdk-go v1.38.12/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/aws/aws-sdk-go v1.38.19 h1:eg7LfiWRNYjbeS+w2+lHwZOKIgnh0NdYr6LkakZ112Y= +github.com/aws/aws-sdk-go v1.38.19/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs= github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= From 5d54332f870b7ec6e03d892598919511968ed8d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Mon, 26 Apr 2021 16:50:09 -0600 Subject: [PATCH 06/18] reordered alphabetically --- aws/provider.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/provider.go b/aws/provider.go index ea0e9b7f8d6..4067d433a5b 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -834,6 +834,7 @@ func Provider() *schema.Provider { "aws_lb_ssl_negotiation_policy": resourceAwsLBSSLNegotiationPolicy(), "aws_macie_member_account_association": resourceAwsMacieMemberAccountAssociation(), "aws_macie_s3_bucket_association": resourceAwsMacieS3BucketAssociation(), + "aws_macie2_account": resourceAwsMacie2Account(), "aws_main_route_table_association": resourceAwsMainRouteTableAssociation(), "aws_mq_broker": resourceAwsMqBroker(), "aws_mq_configuration": resourceAwsMqConfiguration(), @@ -1115,7 +1116,6 @@ func Provider() *schema.Provider { "aws_xray_group": resourceAwsXrayGroup(), "aws_xray_sampling_rule": resourceAwsXraySamplingRule(), "aws_workspaces_ip_group": resourceAwsWorkspacesIpGroup(), - "aws_macie2_account": resourceAwsMacie2Account(), // ALBs are actually LBs because they can be type `network` or `application` // To avoid regressions, we will add a new resource for each and they both point From f32bed22839ba1fcf5d310bb324aeea883ca91cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Mon, 26 Apr 2021 16:50:43 -0600 Subject: [PATCH 07/18] refactor: refactorized according to guideline --- aws/resource_aws_macie2_account.go | 49 +++++++++++++----------------- 1 file changed, 21 insertions(+), 28 deletions(-) diff --git a/aws/resource_aws_macie2_account.go b/aws/resource_aws_macie2_account.go index c6bbe71ce2d..b269e1216fb 100644 --- a/aws/resource_aws_macie2_account.go +++ b/aws/resource_aws_macie2_account.go @@ -3,39 +3,37 @@ package aws import ( "context" "fmt" + "log" + "time" + "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/macie2" + "github.com/hashicorp/aws-sdk-go-base/tfawserr" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" - "log" - "time" ) const ( - errorMacie2AccountCreate = "error enabling Macie2 Account: %s" + errorMacie2AccountCreate = "error enabling Macie2 Account: %w" errorMacie2AccountRead = "error reading Macie2 Account (%s): %w" errorMacie2AccountUpdating = "error updating Macie2 Account (%s): %w" errorMacie2AccountDelete = "error disabling Macie2 Account (%s): %w" - errorMacie2AccountSetting = "error setting `%s` for Macie2 Account (%s): %s" + errorMacie2AccountSetting = "error setting `%s` for Macie2 Account (%s): %w" ) func resourceAwsMacie2Account() *schema.Resource { return &schema.Resource{ - CreateContext: resourceMacie2AccountCreate, - ReadContext: resourceMacie2AccountRead, - UpdateContext: resourceMacie2AccountUpdate, - DeleteContext: resourceMacie2AccountDelete, + CreateWithoutTimeout: resourceMacie2AccountCreate, + ReadWithoutTimeout: resourceMacie2AccountRead, + UpdateWithoutTimeout: resourceMacie2AccountUpdate, + DeleteWithoutTimeout: resourceMacie2AccountDelete, Importer: &schema.ResourceImporter{ StateContext: schema.ImportStatePassthroughContext, }, Schema: map[string]*schema.Schema{ - "client_token": { - Type: schema.TypeString, - Optional: true, - }, "finding_publishing_frequency": { Type: schema.TypeString, Optional: true, @@ -67,11 +65,10 @@ func resourceAwsMacie2Account() *schema.Resource { func resourceMacie2AccountCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { conn := meta.(*AWSClient).macie2conn - input := &macie2.EnableMacieInput{} - - if v, ok := d.GetOk("client_token"); ok { - input.ClientToken = aws.String(v.(string)) + input := &macie2.EnableMacieInput{ + ClientToken: aws.String(resource.UniqueId()), } + if v, ok := d.GetOk("finding_publishing_frequency"); ok { input.FindingPublishingFrequency = aws.String(v.(string)) } @@ -79,14 +76,11 @@ func resourceMacie2AccountCreate(ctx context.Context, d *schema.ResourceData, me input.Status = aws.String(v.(string)) } - log.Printf("[DEBUG] Enabling Macie2 Account: %v", input) - var err error err = resource.RetryContext(ctx, 4*time.Minute, func() *resource.RetryError { _, err = conn.EnableMacieWithContext(ctx, input) if err != nil { - if isAWSErr(err, macie2.ErrorCodeClientError, "") { - log.Printf(errorMacie2AccountCreate, err) + if tfawserr.ErrCodeEquals(err, macie2.ErrorCodeClientError) { return resource.RetryableError(err) } @@ -114,14 +108,15 @@ func resourceMacie2AccountRead(ctx context.Context, d *schema.ResourceData, meta input := &macie2.GetMacieSessionInput{} - log.Printf("[DEBUG] Reading Macie2 Account: %s", input) resp, err := conn.GetMacieSessionWithContext(ctx, input) + + if isAWSErr(err, macie2.ErrCodeAccessDeniedException, "") { + log.Printf("[WARN] Macie2 Account is not enabled, removing from state: %s", d.Id()) + d.SetId("") + return nil + } + if err != nil { - if isAWSErr(err, macie2.ErrCodeResourceNotFoundException, "") { - log.Printf("[WARN] Macie2 Account does not exist, removing from state: %s", d.Id()) - d.SetId("") - return nil - } return diag.FromErr(fmt.Errorf(errorMacie2AccountRead, d.Id(), err)) } @@ -157,7 +152,6 @@ func resourceMacie2AccountUpdate(ctx context.Context, d *schema.ResourceData, me input.Status = aws.String(d.Get("status").(string)) } - log.Printf("[DEBUG] Updating Macie2 Account: %s", input) _, err := conn.UpdateMacieSessionWithContext(ctx, input) if err != nil { return diag.FromErr(fmt.Errorf(errorMacie2AccountUpdating, d.Id(), err)) @@ -171,7 +165,6 @@ func resourceMacie2AccountDelete(ctx context.Context, d *schema.ResourceData, me input := &macie2.DisableMacieInput{} - log.Printf("[DEBUG] Disabling Macie2 Account: %s", input) _, err := conn.DisableMacieWithContext(ctx, input) if err != nil { if isAWSErr(err, macie2.ErrorCodeInternalError, "") { From b0ebb548915c66e845c9a73d5c9ae6b33f30bcb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Mon, 26 Apr 2021 16:51:16 -0600 Subject: [PATCH 08/18] test: added dissapear test, errcheck --- aws/resource_aws_macie2_account_test.go | 31 +++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_macie2_account_test.go b/aws/resource_aws_macie2_account_test.go index 491c4274aa1..09715c820ea 100644 --- a/aws/resource_aws_macie2_account_test.go +++ b/aws/resource_aws_macie2_account_test.go @@ -2,10 +2,11 @@ package aws import ( "fmt" + "testing" + "github.com/aws/aws-sdk-go/service/macie2" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - "testing" ) func TestAccAwsMacie2Account_basic(t *testing.T) { @@ -16,6 +17,7 @@ func TestAccAwsMacie2Account_basic(t *testing.T) { PreCheck: func() { testAccPreCheck(t) }, ProviderFactories: testAccProviderFactories, CheckDestroy: testAccCheckAwsMacie2AccountDestroy, + ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), Steps: []resource.TestStep{ { Config: testaccawsmacieaccountconfigBasic(), @@ -48,6 +50,7 @@ func TestAccAwsMacie2Account_WithFinding(t *testing.T) { PreCheck: func() { testAccPreCheck(t) }, ProviderFactories: testAccProviderFactories, CheckDestroy: testAccCheckAwsMacie2AccountDestroy, + ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), Steps: []resource.TestStep{ { Config: testaccawsmacieaccountconfigWithfinding(findingFreq), @@ -88,6 +91,7 @@ func TestAccAwsMacie2Account_WithStatus(t *testing.T) { PreCheck: func() { testAccPreCheck(t) }, ProviderFactories: testAccProviderFactories, CheckDestroy: testAccCheckAwsMacie2AccountDestroy, + ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), Steps: []resource.TestStep{ { Config: testaccawsmacieaccountconfigWithstatus(status), @@ -130,6 +134,7 @@ func TestAccAwsMacie2Account_WithFindingAndStatus(t *testing.T) { PreCheck: func() { testAccPreCheck(t) }, ProviderFactories: testAccProviderFactories, CheckDestroy: testAccCheckAwsMacie2AccountDestroy, + ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), Steps: []resource.TestStep{ { Config: testaccawsmacieaccountconfigWithfindingandstatus(findingFreq, status), @@ -162,6 +167,28 @@ func TestAccAwsMacie2Account_WithFindingAndStatus(t *testing.T) { }) } +func TestAccAwsMacie2Account_disappears(t *testing.T) { + var macie2Output macie2.GetMacieSessionOutput + resourceName := "aws_macie2_account.test" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: testAccProviderFactories, + CheckDestroy: testAccCheckAwsMacie2AccountDestroy, + ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), + Steps: []resource.TestStep{ + { + Config: testaccawsmacieaccountconfigBasic(), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), + testAccCheckResourceDisappears(testAccProvider, resourceAwsMacie2Account(), resourceName), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + func testAccCheckAwsMacie2AccountDestroy(s *terraform.State) error { conn := testAccProvider.Meta().(*AWSClient).macie2conn @@ -217,7 +244,7 @@ func testAccCheckAwsMacie2AccountExists(resourceName string, macie2Session *maci } func testaccawsmacieaccountconfigBasic() string { - return fmt.Sprintf(` + return fmt.Sprint(` resource "aws_macie2_account" "test" {} `) } From 0afc02edc964d9060195c91abeb4172b3c2d0131 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Mon, 26 Apr 2021 17:05:18 -0600 Subject: [PATCH 09/18] docs: deleted client_token from docs --- website/docs/r/macie2_account.html.markdown | 1 - 1 file changed, 1 deletion(-) diff --git a/website/docs/r/macie2_account.html.markdown b/website/docs/r/macie2_account.html.markdown index bdb80e03a4b..26cc4bf4809 100644 --- a/website/docs/r/macie2_account.html.markdown +++ b/website/docs/r/macie2_account.html.markdown @@ -23,7 +23,6 @@ resource "aws_macie2_account" "test" { The following arguments are supported: -* `client_token` - (Optional) A unique, case-sensitive token that you provide to ensure the idempotency of the request. * `finding_publishing_frequency` - (Optional) Specifies how often to publish updates to policy findings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events). Valid values are `FIFTEEN_MINUTES`, `ONE_HOUR` or `SIX_HOURS`. * `status` - (Optional) Specifies the new status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to `ENABLED`. Valid values are `ENABLED` or `PAUSED`. From bb02e87f63dd05300f55dcde651cde4918545a4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Mon, 26 Apr 2021 17:22:07 -0600 Subject: [PATCH 10/18] refactor:reordered alphabetically in providers --- aws/provider.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/provider.go b/aws/provider.go index 4067d433a5b..61fa8ad66fb 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -832,9 +832,9 @@ func Provider() *schema.Provider { "aws_load_balancer_backend_server_policy": resourceAwsLoadBalancerBackendServerPolicies(), "aws_load_balancer_listener_policy": resourceAwsLoadBalancerListenerPolicies(), "aws_lb_ssl_negotiation_policy": resourceAwsLBSSLNegotiationPolicy(), + "aws_macie2_account": resourceAwsMacie2Account(), "aws_macie_member_account_association": resourceAwsMacieMemberAccountAssociation(), "aws_macie_s3_bucket_association": resourceAwsMacieS3BucketAssociation(), - "aws_macie2_account": resourceAwsMacie2Account(), "aws_main_route_table_association": resourceAwsMainRouteTableAssociation(), "aws_mq_broker": resourceAwsMqBroker(), "aws_mq_configuration": resourceAwsMqConfiguration(), From 9d184b70624a64a00633f29a321484a20171384c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Mon, 26 Apr 2021 17:37:29 -0600 Subject: [PATCH 11/18] refactor: changed awserr to tfawserr.ErrCodeEquals to respect the guidelines --- aws/resource_aws_macie2_account.go | 4 ++-- aws/resource_aws_macie2_account_test.go | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/aws/resource_aws_macie2_account.go b/aws/resource_aws_macie2_account.go index b269e1216fb..952a1255f0a 100644 --- a/aws/resource_aws_macie2_account.go +++ b/aws/resource_aws_macie2_account.go @@ -110,7 +110,7 @@ func resourceMacie2AccountRead(ctx context.Context, d *schema.ResourceData, meta resp, err := conn.GetMacieSessionWithContext(ctx, input) - if isAWSErr(err, macie2.ErrCodeAccessDeniedException, "") { + if tfawserr.ErrCodeEquals(err, macie2.ErrCodeAccessDeniedException) { log.Printf("[WARN] Macie2 Account is not enabled, removing from state: %s", d.Id()) d.SetId("") return nil @@ -167,7 +167,7 @@ func resourceMacie2AccountDelete(ctx context.Context, d *schema.ResourceData, me _, err := conn.DisableMacieWithContext(ctx, input) if err != nil { - if isAWSErr(err, macie2.ErrorCodeInternalError, "") { + if tfawserr.ErrCodeEquals(err, macie2.ErrorCodeInternalError) { return nil } return diag.FromErr(fmt.Errorf(errorMacie2AccountDelete, d.Id(), err)) diff --git a/aws/resource_aws_macie2_account_test.go b/aws/resource_aws_macie2_account_test.go index 09715c820ea..02a946bdf7e 100644 --- a/aws/resource_aws_macie2_account_test.go +++ b/aws/resource_aws_macie2_account_test.go @@ -5,6 +5,7 @@ import ( "testing" "github.com/aws/aws-sdk-go/service/macie2" + "github.com/hashicorp/aws-sdk-go-base/tfawserr" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" ) @@ -200,7 +201,7 @@ func testAccCheckAwsMacie2AccountDestroy(s *terraform.State) error { input := &macie2.GetMacieSessionInput{} resp, err := conn.GetMacieSession(input) - if isAWSErr(err, macie2.ErrCodeAccessDeniedException, "") { + if tfawserr.ErrCodeEquals(err, macie2.ErrCodeAccessDeniedException) { continue } From 55ead9f5ce11f899de1cc87703bcb173e979ad9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Mon, 26 Apr 2021 18:55:42 -0600 Subject: [PATCH 12/18] fix: fixes linter error --- aws/resource_aws_macie2_account.go | 1 + aws/resource_aws_macie2_account_test.go | 12 ++++++------ website/docs/r/macie2_account.html.markdown | 2 +- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/aws/resource_aws_macie2_account.go b/aws/resource_aws_macie2_account.go index 952a1255f0a..57591321725 100644 --- a/aws/resource_aws_macie2_account.go +++ b/aws/resource_aws_macie2_account.go @@ -98,6 +98,7 @@ func resourceMacie2AccountCreate(ctx context.Context, d *schema.ResourceData, me return diag.FromErr(fmt.Errorf(errorMacie2AccountCreate, err)) } + //lintignore:R015 // Allow legacy unstable ID usage in managed resource d.SetId(resource.UniqueId()) return resourceMacie2AccountRead(ctx, d, meta) diff --git a/aws/resource_aws_macie2_account_test.go b/aws/resource_aws_macie2_account_test.go index 02a946bdf7e..9da2a9a36c9 100644 --- a/aws/resource_aws_macie2_account_test.go +++ b/aws/resource_aws_macie2_account_test.go @@ -245,15 +245,15 @@ func testAccCheckAwsMacie2AccountExists(resourceName string, macie2Session *maci } func testaccawsmacieaccountconfigBasic() string { - return fmt.Sprint(` + return ` resource "aws_macie2_account" "test" {} -`) +` } func testaccawsmacieaccountconfigWithfinding(finding string) string { return fmt.Sprintf(` resource "aws_macie2_account" "test" { - finding_publishing_frequency = "%s" + finding_publishing_frequency = "%s" } `, finding) } @@ -261,7 +261,7 @@ resource "aws_macie2_account" "test" { func testaccawsmacieaccountconfigWithstatus(status string) string { return fmt.Sprintf(` resource "aws_macie2_account" "test" { - status = "%s" + status = "%s" } `, status) } @@ -269,8 +269,8 @@ resource "aws_macie2_account" "test" { func testaccawsmacieaccountconfigWithfindingandstatus(finding, status string) string { return fmt.Sprintf(` resource "aws_macie2_account" "test" { - finding_publishing_frequency = "%s" - status = "%s" + finding_publishing_frequency = "%s" + status = "%s" } `, finding, status) } diff --git a/website/docs/r/macie2_account.html.markdown b/website/docs/r/macie2_account.html.markdown index 26cc4bf4809..ff04bd46b94 100644 --- a/website/docs/r/macie2_account.html.markdown +++ b/website/docs/r/macie2_account.html.markdown @@ -15,7 +15,7 @@ Provides a resource to manage an [AWS Macie Account](https://docs.aws.amazon.com ```terraform resource "aws_macie2_account" "test" { finding_publishing_frequency = "FIFTEEN_MINUTES" - status = "ENABLED" + status = "ENABLED" } ``` From 04f3f178edbca78c790a5a116c51755861029d27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Mon, 26 Apr 2021 20:28:54 -0600 Subject: [PATCH 13/18] added Macie2 in allowed-subcategories --- website/allowed-subcategories.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/website/allowed-subcategories.txt b/website/allowed-subcategories.txt index 4bcf7aaf80a..e64851c2311 100644 --- a/website/allowed-subcategories.txt +++ b/website/allowed-subcategories.txt @@ -81,6 +81,7 @@ Lex License Manager Lightsail MQ +Macie2 Macie Macie Classic Managed Streaming for Kafka (MSK) From d4ab4bf6ae00e2e7a4e8340ec571ce6657e684a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Tue, 27 Apr 2021 14:28:02 -0600 Subject: [PATCH 14/18] refactor: refactorized to follow guidelines suggested by reviewer --- aws/resource_aws_macie2_account.go | 49 +++------- aws/resource_aws_macie2_account_test.go | 101 ++++++++++---------- website/allowed-subcategories.txt | 1 - website/docs/r/macie2_account.html.markdown | 10 +- 4 files changed, 68 insertions(+), 93 deletions(-) diff --git a/aws/resource_aws_macie2_account.go b/aws/resource_aws_macie2_account.go index 57591321725..3c67c3f7da4 100644 --- a/aws/resource_aws_macie2_account.go +++ b/aws/resource_aws_macie2_account.go @@ -15,14 +15,6 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" ) -const ( - errorMacie2AccountCreate = "error enabling Macie2 Account: %w" - errorMacie2AccountRead = "error reading Macie2 Account (%s): %w" - errorMacie2AccountUpdating = "error updating Macie2 Account (%s): %w" - errorMacie2AccountDelete = "error disabling Macie2 Account (%s): %w" - errorMacie2AccountSetting = "error setting `%s` for Macie2 Account (%s): %w" -) - func resourceAwsMacie2Account() *schema.Resource { return &schema.Resource{ CreateWithoutTimeout: resourceMacie2AccountCreate, @@ -38,13 +30,13 @@ func resourceAwsMacie2Account() *schema.Resource { Type: schema.TypeString, Optional: true, Computed: true, - ValidateFunc: validation.StringInSlice([]string{"FIFTEEN_MINUTES", "ONE_HOUR", "SIX_HOURS"}, false), + ValidateFunc: validation.StringInSlice(macie2.FindingPublishingFrequency_Values(), false), }, "status": { Type: schema.TypeString, Optional: true, Computed: true, - ValidateFunc: validation.StringInSlice([]string{"PAUSED", "ENABLED"}, false), + ValidateFunc: validation.StringInSlice(macie2.MacieStatus_Values(), false), }, "service_role": { Type: schema.TypeString, @@ -91,15 +83,14 @@ func resourceMacie2AccountCreate(ctx context.Context, d *schema.ResourceData, me }) if isResourceTimeoutError(err) { - _, _ = conn.EnableMacieWithContext(ctx, input) + _, err = conn.EnableMacieWithContext(ctx, input) } if err != nil { - return diag.FromErr(fmt.Errorf(errorMacie2AccountCreate, err)) + return diag.FromErr(fmt.Errorf("error enabling Macie Account: %w", err)) } - //lintignore:R015 // Allow legacy unstable ID usage in managed resource - d.SetId(resource.UniqueId()) + d.SetId(meta.(*AWSClient).accountid) return resourceMacie2AccountRead(ctx, d, meta) } @@ -112,30 +103,20 @@ func resourceMacie2AccountRead(ctx context.Context, d *schema.ResourceData, meta resp, err := conn.GetMacieSessionWithContext(ctx, input) if tfawserr.ErrCodeEquals(err, macie2.ErrCodeAccessDeniedException) { - log.Printf("[WARN] Macie2 Account is not enabled, removing from state: %s", d.Id()) + log.Printf("[WARN] Macie not enabled for AWS account (%s), removing from state", d.Id()) d.SetId("") return nil } if err != nil { - return diag.FromErr(fmt.Errorf(errorMacie2AccountRead, d.Id(), err)) + return diag.FromErr(fmt.Errorf("error reading Macie Account (%s): %w", d.Id(), err)) } - if err = d.Set("status", resp.Status); err != nil { - return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "status", d.Id(), err)) - } - if err = d.Set("finding_publishing_frequency", resp.FindingPublishingFrequency); err != nil { - return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "finding_publishing_frequency", d.Id(), err)) - } - if err = d.Set("service_role", resp.ServiceRole); err != nil { - return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "service_role", d.Id(), err)) - } - if err = d.Set("created_at", resp.CreatedAt.String()); err != nil { - return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "created_at", d.Id(), err)) - } - if err = d.Set("updated_at", resp.UpdatedAt.String()); err != nil { - return diag.FromErr(fmt.Errorf(errorMacie2AccountSetting, "updated_at", d.Id(), err)) - } + d.Set("status", resp.Status) + d.Set("finding_publishing_frequency", resp.FindingPublishingFrequency) + d.Set("service_role", resp.ServiceRole) + d.Set("created_at", aws.TimeValue(resp.CreatedAt).Format(time.RFC3339)) + d.Set("updated_at", aws.TimeValue(resp.UpdatedAt).Format(time.RFC3339)) return nil } @@ -155,7 +136,7 @@ func resourceMacie2AccountUpdate(ctx context.Context, d *schema.ResourceData, me _, err := conn.UpdateMacieSessionWithContext(ctx, input) if err != nil { - return diag.FromErr(fmt.Errorf(errorMacie2AccountUpdating, d.Id(), err)) + return diag.FromErr(fmt.Errorf("error updating Macie Account (%s): %w", d.Id(), err)) } return resourceMacie2AccountRead(ctx, d, meta) @@ -168,10 +149,10 @@ func resourceMacie2AccountDelete(ctx context.Context, d *schema.ResourceData, me _, err := conn.DisableMacieWithContext(ctx, input) if err != nil { - if tfawserr.ErrCodeEquals(err, macie2.ErrorCodeInternalError) { + if tfawserr.ErrCodeEquals(err, macie2.ErrCodeAccessDeniedException) { return nil } - return diag.FromErr(fmt.Errorf(errorMacie2AccountDelete, d.Id(), err)) + return diag.FromErr(fmt.Errorf("error disabling Macie Account (%s): %w", d.Id(), err)) } return nil } diff --git a/aws/resource_aws_macie2_account_test.go b/aws/resource_aws_macie2_account_test.go index 9da2a9a36c9..0726ffc6c66 100644 --- a/aws/resource_aws_macie2_account_test.go +++ b/aws/resource_aws_macie2_account_test.go @@ -21,15 +21,14 @@ func TestAccAwsMacie2Account_basic(t *testing.T) { ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), Steps: []resource.TestStep{ { - Config: testaccawsmacieaccountconfigBasic(), + Config: testAccAwsMacieAccountConfigBasic(), Check: resource.ComposeTestCheckFunc( testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), - resource.TestCheckResourceAttrSet(resourceName, "finding_publishing_frequency"), - resource.TestCheckResourceAttrSet(resourceName, "status"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), - resource.TestCheckResourceAttrSet(resourceName, "service_role"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", macie2.FindingPublishingFrequencyFifteenMinutes), + resource.TestCheckResourceAttr(resourceName, "status", macie2.MacieStatusEnabled), + testAccCheckResourceAttrGlobalARN(resourceName, "service_role", "iam", "role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"), + testAccCheckResourceAttrRfc3339(resourceName, "created_at"), + testAccCheckResourceAttrRfc3339(resourceName, "updated_at"), ), }, { @@ -41,11 +40,9 @@ func TestAccAwsMacie2Account_basic(t *testing.T) { }) } -func TestAccAwsMacie2Account_WithFinding(t *testing.T) { +func TestAccAwsMacie2Account_FindingPublishingFrequency(t *testing.T) { var macie2Output macie2.GetMacieSessionOutput resourceName := "aws_macie2_account.test" - findingFreq := "FIFTEEN_MINUTES" - findingFreqUpdated := "ONE_HOUR" resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -54,23 +51,25 @@ func TestAccAwsMacie2Account_WithFinding(t *testing.T) { ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), Steps: []resource.TestStep{ { - Config: testaccawsmacieaccountconfigWithfinding(findingFreq), + Config: testAccAwsMacieAccountConfigWithFinding(macie2.FindingPublishingFrequencyFifteenMinutes), Check: resource.ComposeTestCheckFunc( testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), - resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", findingFreq), - resource.TestCheckResourceAttrSet(resourceName, "service_role"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", macie2.FindingPublishingFrequencyFifteenMinutes), + resource.TestCheckResourceAttr(resourceName, "status", macie2.MacieStatusEnabled), + testAccCheckResourceAttrGlobalARN(resourceName, "service_role", "iam", "role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"), + testAccCheckResourceAttrRfc3339(resourceName, "created_at"), + testAccCheckResourceAttrRfc3339(resourceName, "updated_at"), ), }, { - Config: testaccawsmacieaccountconfigWithfinding(findingFreqUpdated), + Config: testAccAwsMacieAccountConfigWithFinding(macie2.FindingPublishingFrequencyOneHour), Check: resource.ComposeTestCheckFunc( testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), - resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", findingFreqUpdated), - resource.TestCheckResourceAttrSet(resourceName, "service_role"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", macie2.FindingPublishingFrequencyOneHour), + resource.TestCheckResourceAttr(resourceName, "status", macie2.MacieStatusEnabled), + testAccCheckResourceAttrGlobalARN(resourceName, "service_role", "iam", "role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"), + testAccCheckResourceAttrRfc3339(resourceName, "created_at"), + testAccCheckResourceAttrRfc3339(resourceName, "updated_at"), ), }, { @@ -85,8 +84,6 @@ func TestAccAwsMacie2Account_WithFinding(t *testing.T) { func TestAccAwsMacie2Account_WithStatus(t *testing.T) { var macie2Output macie2.GetMacieSessionOutput resourceName := "aws_macie2_account.test" - status := "ENABLED" - statusUpdated := "PAUSED" resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -95,23 +92,25 @@ func TestAccAwsMacie2Account_WithStatus(t *testing.T) { ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), Steps: []resource.TestStep{ { - Config: testaccawsmacieaccountconfigWithstatus(status), + Config: testAccAwsMacieAccountConfigWithstatus(macie2.MacieStatusEnabled), Check: resource.ComposeTestCheckFunc( testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), - resource.TestCheckResourceAttr(resourceName, "status", status), - resource.TestCheckResourceAttrSet(resourceName, "service_role"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", macie2.FindingPublishingFrequencyFifteenMinutes), + resource.TestCheckResourceAttr(resourceName, "status", macie2.MacieStatusEnabled), + testAccCheckResourceAttrGlobalARN(resourceName, "service_role", "iam", "role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"), + testAccCheckResourceAttrRfc3339(resourceName, "created_at"), + testAccCheckResourceAttrRfc3339(resourceName, "updated_at"), ), }, { - Config: testaccawsmacieaccountconfigWithstatus(statusUpdated), + Config: testAccAwsMacieAccountConfigWithstatus(macie2.MacieStatusPaused), Check: resource.ComposeTestCheckFunc( testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), - resource.TestCheckResourceAttr(resourceName, "status", statusUpdated), - resource.TestCheckResourceAttrSet(resourceName, "service_role"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", macie2.FindingPublishingFrequencyFifteenMinutes), + resource.TestCheckResourceAttr(resourceName, "status", macie2.MacieStatusPaused), + testAccCheckResourceAttrGlobalARN(resourceName, "service_role", "iam", "role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"), + testAccCheckResourceAttrRfc3339(resourceName, "created_at"), + testAccCheckResourceAttrRfc3339(resourceName, "updated_at"), ), }, { @@ -126,10 +125,6 @@ func TestAccAwsMacie2Account_WithStatus(t *testing.T) { func TestAccAwsMacie2Account_WithFindingAndStatus(t *testing.T) { var macie2Output macie2.GetMacieSessionOutput resourceName := "aws_macie2_account.test" - findingFreq := "FIFTEEN_MINUTES" - status := "ENABLED" - findingFreqUpdated := "ONE_HOUR" - statusUpdated := "PAUSED" resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -138,25 +133,25 @@ func TestAccAwsMacie2Account_WithFindingAndStatus(t *testing.T) { ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), Steps: []resource.TestStep{ { - Config: testaccawsmacieaccountconfigWithfindingandstatus(findingFreq, status), + Config: testAccAwsMacieAccountConfigWithfindingandstatus(macie2.FindingPublishingFrequencyFifteenMinutes, macie2.MacieStatusEnabled), Check: resource.ComposeTestCheckFunc( testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), - resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", findingFreq), - resource.TestCheckResourceAttr(resourceName, "status", status), - resource.TestCheckResourceAttrSet(resourceName, "service_role"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", macie2.FindingPublishingFrequencyFifteenMinutes), + resource.TestCheckResourceAttr(resourceName, "status", macie2.MacieStatusEnabled), + testAccCheckResourceAttrGlobalARN(resourceName, "service_role", "iam", "role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"), + testAccCheckResourceAttrRfc3339(resourceName, "created_at"), + testAccCheckResourceAttrRfc3339(resourceName, "updated_at"), ), }, { - Config: testaccawsmacieaccountconfigWithfindingandstatus(findingFreqUpdated, statusUpdated), + Config: testAccAwsMacieAccountConfigWithfindingandstatus(macie2.FindingPublishingFrequencyOneHour, macie2.MacieStatusPaused), Check: resource.ComposeTestCheckFunc( testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), - resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", findingFreqUpdated), - resource.TestCheckResourceAttr(resourceName, "status", statusUpdated), - resource.TestCheckResourceAttrSet(resourceName, "service_role"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttr(resourceName, "finding_publishing_frequency", macie2.FindingPublishingFrequencyOneHour), + resource.TestCheckResourceAttr(resourceName, "status", macie2.MacieStatusPaused), + testAccCheckResourceAttrGlobalARN(resourceName, "service_role", "iam", "role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"), + testAccCheckResourceAttrRfc3339(resourceName, "created_at"), + testAccCheckResourceAttrRfc3339(resourceName, "updated_at"), ), }, { @@ -179,7 +174,7 @@ func TestAccAwsMacie2Account_disappears(t *testing.T) { ErrorCheck: testAccErrorCheck(t, macie2.EndpointsID), Steps: []resource.TestStep{ { - Config: testaccawsmacieaccountconfigBasic(), + Config: testAccAwsMacieAccountConfigBasic(), Check: resource.ComposeTestCheckFunc( testAccCheckAwsMacie2AccountExists(resourceName, &macie2Output), testAccCheckResourceDisappears(testAccProvider, resourceAwsMacie2Account(), resourceName), @@ -244,13 +239,13 @@ func testAccCheckAwsMacie2AccountExists(resourceName string, macie2Session *maci } } -func testaccawsmacieaccountconfigBasic() string { +func testAccAwsMacieAccountConfigBasic() string { return ` resource "aws_macie2_account" "test" {} ` } -func testaccawsmacieaccountconfigWithfinding(finding string) string { +func testAccAwsMacieAccountConfigWithFinding(finding string) string { return fmt.Sprintf(` resource "aws_macie2_account" "test" { finding_publishing_frequency = "%s" @@ -258,7 +253,7 @@ resource "aws_macie2_account" "test" { `, finding) } -func testaccawsmacieaccountconfigWithstatus(status string) string { +func testAccAwsMacieAccountConfigWithstatus(status string) string { return fmt.Sprintf(` resource "aws_macie2_account" "test" { status = "%s" @@ -266,7 +261,7 @@ resource "aws_macie2_account" "test" { `, status) } -func testaccawsmacieaccountconfigWithfindingandstatus(finding, status string) string { +func testAccAwsMacieAccountConfigWithfindingandstatus(finding, status string) string { return fmt.Sprintf(` resource "aws_macie2_account" "test" { finding_publishing_frequency = "%s" diff --git a/website/allowed-subcategories.txt b/website/allowed-subcategories.txt index e64851c2311..4bcf7aaf80a 100644 --- a/website/allowed-subcategories.txt +++ b/website/allowed-subcategories.txt @@ -81,7 +81,6 @@ Lex License Manager Lightsail MQ -Macie2 Macie Macie Classic Managed Streaming for Kafka (MSK) diff --git a/website/docs/r/macie2_account.html.markdown b/website/docs/r/macie2_account.html.markdown index ff04bd46b94..96906652961 100644 --- a/website/docs/r/macie2_account.html.markdown +++ b/website/docs/r/macie2_account.html.markdown @@ -1,9 +1,9 @@ --- -subcategory: "Macie2" +subcategory: "Macie" layout: "aws" page_title: "AWS: aws_macie2_account" description: |- - Provides a resource to manage an AWS Macie2 Account. + Provides a resource to manage Amazon Macie on an AWS Account. --- # Resource: aws_macie2_account @@ -24,7 +24,7 @@ resource "aws_macie2_account" "test" { The following arguments are supported: * `finding_publishing_frequency` - (Optional) Specifies how often to publish updates to policy findings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events). Valid values are `FIFTEEN_MINUTES`, `ONE_HOUR` or `SIX_HOURS`. -* `status` - (Optional) Specifies the new status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to `ENABLED`. Valid values are `ENABLED` or `PAUSED`. +* `status` - (Optional) Specifies the status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to `ENABLED`. Valid values are `ENABLED` or `PAUSED`. ## Attributes Reference @@ -32,8 +32,8 @@ In addition to all arguments above, the following attributes are exported: * `id` - The unique identifier (ID) of the macie account. * `service_role` - The Amazon Resource Name (ARN) of the service-linked role that allows Macie to monitor and analyze data in AWS resources for the account. -* `created_at` - The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie account was created. -* `updated_at` - The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the Macie account. +* `created_at` - The date and time, in UTC and extended RFC 3339 format, when the Amazon Macie account was created. +* `updated_at` - The date and time, in UTC and extended RFC 3339 format, of the most recent change to the status of the Macie account. ## Import From 9512678cc806aff4f9153f3500a80da0147fb141 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Tue, 27 Apr 2021 19:33:42 -0600 Subject: [PATCH 15/18] changed macie2 to macie in comments --- aws/resource_aws_macie2_account_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_macie2_account_test.go b/aws/resource_aws_macie2_account_test.go index 0726ffc6c66..480d51d6c19 100644 --- a/aws/resource_aws_macie2_account_test.go +++ b/aws/resource_aws_macie2_account_test.go @@ -205,7 +205,7 @@ func testAccCheckAwsMacie2AccountDestroy(s *terraform.State) error { } if resp != nil { - return fmt.Errorf("macie2 account %q still enabled", rs.Primary.ID) + return fmt.Errorf("macie account %q still enabled", rs.Primary.ID) } } @@ -230,7 +230,7 @@ func testAccCheckAwsMacie2AccountExists(resourceName string, macie2Session *maci } if resp == nil { - return fmt.Errorf("macie2 account %q does not exist", rs.Primary.ID) + return fmt.Errorf("macie account %q does not exist", rs.Primary.ID) } *macie2Session = *resp From 7ae0629d720433d5f8015eaf8ce1a0dae3f344d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Wed, 28 Apr 2021 18:26:03 -0600 Subject: [PATCH 16/18] refactor: changed the validation in delete function --- aws/resource_aws_macie2_account.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aws/resource_aws_macie2_account.go b/aws/resource_aws_macie2_account.go index 3c67c3f7da4..c4583663225 100644 --- a/aws/resource_aws_macie2_account.go +++ b/aws/resource_aws_macie2_account.go @@ -149,7 +149,8 @@ func resourceMacie2AccountDelete(ctx context.Context, d *schema.ResourceData, me _, err := conn.DisableMacieWithContext(ctx, input) if err != nil { - if tfawserr.ErrCodeEquals(err, macie2.ErrCodeAccessDeniedException) { + if tfawserr.ErrCodeEquals(err, macie2.ErrCodeResourceNotFoundException) || + tfawserr.ErrMessageContains(err, macie2.ErrCodeAccessDeniedException, "Macie is not enabled") { return nil } return diag.FromErr(fmt.Errorf("error disabling Macie Account (%s): %w", d.Id(), err)) From 28004f1c6b65d356bea6b3109242d8cca08c3716 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Wed, 28 Apr 2021 18:26:16 -0600 Subject: [PATCH 17/18] added changelog file --- .changelog/19069.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/19069.txt diff --git a/.changelog/19069.txt b/.changelog/19069.txt new file mode 100644 index 00000000000..7086bc6ae14 --- /dev/null +++ b/.changelog/19069.txt @@ -0,0 +1,3 @@ +```release-note:new-resource +aws_macie2_account +``` From 840a23693f046bf7e1979ba5479e65ba6bfcb0fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20L=C3=B3pez?= Date: Thu, 29 Apr 2021 11:44:07 -0600 Subject: [PATCH 18/18] added same error validation as delete for read --- aws/resource_aws_macie2_account.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aws/resource_aws_macie2_account.go b/aws/resource_aws_macie2_account.go index c4583663225..ede039c2e4c 100644 --- a/aws/resource_aws_macie2_account.go +++ b/aws/resource_aws_macie2_account.go @@ -102,7 +102,8 @@ func resourceMacie2AccountRead(ctx context.Context, d *schema.ResourceData, meta resp, err := conn.GetMacieSessionWithContext(ctx, input) - if tfawserr.ErrCodeEquals(err, macie2.ErrCodeAccessDeniedException) { + if tfawserr.ErrCodeEquals(err, macie2.ErrCodeResourceNotFoundException) || + tfawserr.ErrMessageContains(err, macie2.ErrCodeAccessDeniedException, "Macie is not enabled") { log.Printf("[WARN] Macie not enabled for AWS account (%s), removing from state", d.Id()) d.SetId("") return nil